Bug 9275 - SAMBA4 POSIX ACL not working
SAMBA4 POSIX ACL not working
Status: NEEDINFO
Product: Samba 4.0
Classification: Unclassified
Component: File services
unspecified
Alpha Windows 7
: P5 critical
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-10 01:02 UTC by Inno Yev
Modified: 2012-10-10 19:10 UTC (History)
1 user (show)

See Also:


Attachments
Wireshark trace (server 192.168.100.100 win7 client 192.168.100.101) (331.98 KB, application/octet-stream)
2012-10-10 01:02 UTC, Inno Yev
no flags Details
this is the smbd log (24.20 KB, application/octet-stream)
2012-10-10 01:06 UTC, Inno Yev
no flags Details
List of traces in attched zip file (1.05 MB, application/octet-stream)
2012-10-10 10:04 UTC, Inno Yev
no flags Details
Additional trace log.%m (1.76 MB, application/octet-stream)
2012-10-10 11:15 UTC, Inno Yev
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Inno Yev 2012-10-10 01:02:40 UTC
Created attachment 8025 [details]
Wireshark trace (server 192.168.100.100 win7 client 192.168.100.101)

Hello,

I have following version of Samba4:

Version 4.1.0pre1-GIT-9fc42da

and trying to apply acl on shared folders from win7  but it is just not functionning:

for instance I just created the folder foldertest and trying to set permission deny on everyone and it gives the below error:

[2012/10/10 03:19:56.221168,  0] ../source3/smbd/posix_acls.c:1898(add_current_ace_to_acl) add_current_ace_to_acl: malformed ACL in file ACL ! Deny entry after Allow entry. Failing to set on file foldertest.


also whatever I do I only get the below errors?

[2012/10/10 02:39:22.008985,  0] ../source3/smbd/posix_acls.c:1898(add_current_ace_to_acl)
  add_current_ace_to_acl: malformed ACL in file ACL ! Deny entry after Allow entry. Failing to set on file test.
[2012/10/10 02:41:47.861209,  0] ../source3/modules/vfs_posixacl.c:351(smb_acl_to_posix)
  smb_acl_to_posix: ACL group:users:---
  other::---
  user::rwx
  group::---
  group:3000017:rwx
  user:root:rwx
  group:users:---
  mask::rwx
   is invalid for set (Success)
[2012/10/10 02:42:01.876497,  0] ../source3/modules/vfs_posixacl.c:351(smb_acl_to_posix)
  smb_acl_to_posix: ACL group:users:---
  other::---
  user::rwx
  group::---
  group:3000017:rwx
  user:root:rwx
  group:users:---
  mask::rwx
   is invalid for set (Success)
[2012/10/10 02:52:51.475171,  0] ../source3/modules/vfs_posixacl.c:351(smb_acl_to_posix)
  smb_acl_to_posix: ACL group:users:---
  other::---
  user::rwx
  group::---
  group:3000017:r-x
  user:root:rwx
  group:users:---
  mask::rwx
   is invalid for set (Success)
[2012/10/10 02:53:59.949092,  0] ../source3/modules/vfs_posixacl.c:351(smb_acl_to_posix)
  smb_acl_to_posix: ACL group:users:---
  other::---
  user::rwx
  group::---
  group:3000017:r-x
  user:root:rwx
  group:users:---
  group:3000018:r-x
  mask::rwx
   is invalid for set (No such file or directory)
Comment 1 Inno Yev 2012-10-10 01:06:47 UTC
Created attachment 8026 [details]
this is the smbd log

actually don't know how to collect a level trace for it.
Comment 2 Jeremy Allison 2012-10-10 03:21:13 UTC
Set the lines:

log level = 10
max log size = 0
log file = /usr/local/samba/var/log.%m

in the [global] section of your smb.conf, restart smbd and then repeat the operation. Don't forget to upload the correct wireshark capture file and also the contents of the debug level 10 log files.

Thanks,

Jeremy.
Comment 3 Inno Yev 2012-10-10 10:04:51 UTC
Created attachment 8040 [details]
List of traces in attched zip file

Hi,

I collected traces again in attachment:


these are the log files:

log.192.168.100.101
log.virtualserver
log.smbd

please note that the virtualserver is same as 192.168.100.101, don't know why 2 different traces were generated.


regarding the wireshark traces, there are two:

One I try to set modify permission for a user on the shared folder:
modifyPermission.pcapng

the other I set deny all on the shared folder:
denyAll.pcapng
Comment 4 Inno Yev 2012-10-10 10:26:19 UTC
Hello Jeremy.

I've uploaded the traces.

(In reply to comment #2)
> Set the lines:
> 
> log level = 10
> max log size = 0
> log file = /usr/local/samba/var/log.%m
> 
> in the [global] section of your smb.conf, restart smbd and then repeat the
> operation. Don't forget to upload the correct wireshark capture file and also
> the contents of the debug level 10 log files.
> 
> Thanks,
> 
> Jeremy.
Comment 5 Inno Yev 2012-10-10 11:15:49 UTC
Created attachment 8041 [details]
Additional trace log.%m

there was another trace: log.%m which I am attaching additionaly
Comment 6 Inno Yev 2012-10-10 11:45:38 UTC
Hello,

This issue seems related to: Bug 9160 

after I've applied 

vfs objects = acl_xattr

to each share that requires ACL's to be mapped. I have no error anymore.

is there anywhere I can find more documentation about how to configure the smb.conf?

inno.
Comment 7 Jacob Oliver 2012-10-10 19:10:31 UTC
I've just started looking at the source of this (Please forgive me for any stupid ideas, I'm 16, only know a tiny bit of C and primarily program Java), but looking at smb_acl_to_posix() within source3/modules/vfs_posixacl.c, shouldn't all the checks that look for a return of 0 actually be checking for 1?

I'm guessing a possible workaround could be to stop the fail: section from actually clearing an ACL?